Malware Activity
Buhti Ransomware Operation Observed Using LockBit Black and Babuk Ransomware to Target Windows and Linux Machines
Researchers observed a new ransomware operation, dubbed "Buhti", utilizing the leaked source code of LockBit and Babuk ransomware in its latest activity. Buhti, first discovered in February 2023, is targeting Windows with "LockBit Black" alongside Linux systems with variants of the "Babuk" ransomware and is using a custom data exfiltration tool for double extortion. The exfiltration tool is a Go-based information stealer that can target specifically chosen file systems and twenty-nine (29) file types. Buhti's operators, tracked as Blacktail, have also been observed exploiting the PaperCut NG and MF remote code execution (RCE) vulnerability, tracked as CVE-2023-27350, in order to "install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise" on targeted machines, leveraging them to "steal data from, and deliver the ransomware payload to, multiple computers on the targeted network." In February 2023, the actors were also identified exploiting CVE-2022-47986, which is a critical RCE flaw that impacts the IBM Aspera Faspex file exchange product. Researchers have witnessed Buhti attacks in various countries, including the United States, the United Kingdom, China, Germany, Czechia, Ethiopia, and more. Researchers also advise administrators and researchers not to underestimate Blacktail. Despite the group using leaked ransomware code in its latest activity, the group's ability to exploit recently discovered vulnerabilities along with its tactics observed in their early attacks thus far renders them a considerable threat. CTIX analysts will continue to monitor Blacktail's activities and provide updates on the Buhti ransomware operation as it evolves. Additional details and indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
Chinese Threat Group Reportedly Targets United States Critical Infrastructure
An emerging Chinese threat organization has reportedly been targeting United States critical infrastructure in their current operations. The group is tracked under the codename Volt Typhoon and has been actively targeting critical infrastructure companies within the government, communications, transportation, maritime, information technology, education, and communications sectors. During these attacks, Volt Typhoon actors would often compromise their victims through vulnerable public-facing FortiGuard devices, giving direct access into their network. Attackers will often attempt to gain privileged access in Active Directory by harvesting credentials stored in the Local Security Authority Subsystem Service (LSASS) process memory space. In addition to privilege escalation, threat actors also deployed a command line utility to install new domain controllers, allowing for multiple authentication attempts on network-connected devices. As the final step, Volt Typhoon actors establish a command-and-control (C2) connection back to their infrastructure to allow for the execution of remote commands and remote access to the victims’ network(s). Additional tactics utilized by the group include capitalizing on local resources of compromised infrastructure, or ‘living-off-the-land' activities through the system on-screen keyboard and LOLBin binaries to transfer additional payloads from the C2 server to victim networks. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
- The Record: Volt Typhoon Article 1
- The Record: Volt Typhoon Article 2
- Microsoft: Volt Typhoon Article
Vulnerabilities
Critical AT&T Zero-day Vulnerability Allowed for Account Takeover by Only Knowing the Victim's Phone Number and Zip Code
AT&T has patched a critical zero-day vulnerability that could have been exploited by attackers to take over any user's ATT.com account using only the victim's zip code and phone number. The flaw was discovered by a security researcher named Joseph Harris after he was able to abuse and exploit an account merging feature, allowing him to merge his own account with any other user account he wanted. According to Harris' proof-of-concept (PoC) exploit, the attack is made possible by creating a free ATT.com profile, then using a button called “combine accounts” and selecting “already registered accounts.” The attacker is then prompted to enter the account phone number and zip code, disclosing the victim's account and sending a prompt to the victim to enter their password. Harris utilized the ATT.com backend to intercept the password request to the victim, rerouting it to accounts he already owned. Once an attacker receives the victim's password, they can carry out a host of malicious activity including account takeover, SIM swapping, and adding other devices or phone numbers to a victim's account. Several well-known researchers have publicly stated that this is a very dangerous vulnerability given how easy it is to exploit. Roger Grimes from KnowBe4 also stated that the ease of which anyone could merge accounts is troubling, and indicative of the fact that there are likely multiple related and unrelated ATT.com zero-day vulnerabilities that are still susceptible to exploitation. Telecommunications companies are very lucrative targets for both financially-motivated and state sponsored threat actors, and the Federal Communications Commission (FCC) has confirmed that there have been multiple breaches impacting some of the largest providers like Verizon, T-Mobile, and AT&T.
Honorable Mention
OpenAI Leaders Push for AI Regulations to Avoid Dangers and Reap Benefits
Concerns about the development of Artificial Intelligence and the negative consequences it poses to society have been increasingly warned about over the past decade. There are predictions of catastrophic consequences but also some more pernicious harms such as society becoming dependent on machines and losing its ability to self-govern, or a world where only a few who hold the power of AI are able to rule the many, creating an eternal caste system. In recognizing such concerns, leaders of ChatGPT developer OpenAI, including their cofounders and chief executive, have come out stating an urgent need for the regulation of "superintelligent" AIs, an equivalent to the International Atomic Energy Agency for AI that will help protect humanity from developing something with the power to destroy itself. Within the next ten (10) years, experts foresee AI exceeding "expert skill level in most domains" with the capability to "carry out as much productive activity as one of today’s largest corporations” and that "superintelligence will be more powerful than other technologies humanity has had to contend with in the past." Instead of the recently published letter by AI experts pushing to pause AI development, the leaders at OpenAI are encouraging an international regulator to figure out how to “inspect systems, require audits, test for compliance with safety standards, [and] place restrictions on degrees of deployment and levels of security.” These leaders are hoping that we can use such capabilities to foster a prosperous future, believing that humanity cannot afford the dangers of halting developments and missing out on the tremendous upsides AI has to offer, such as what's already being seen in the areas of education, creativity, and personal growth. However, they are also critical to point out that "given the possibility of existential risk, we can’t just be reactive" and are thus encouraging companies working on the cutting-edge of AI research to coordinate their efforts to leverage this great technology and incorporate them smoothly into society while prioritizing safety.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.